But the idea that the EU is going to single-handedly end advertising-driven websites is insane.

Click to expand...

I don't recall anyone ever making that claim. GDPR has nothing to do with ad-driven sites. All it does is stop sites, companies, and advertisers from tracking users or collecting and using their personal data, without their knowledge or consent.

I don't recall anyone ever making that claim. GDPR has nothing to do with ad-driven sites. All it does is stop sites, companies, and advertisers from tracking users or collecting and using their personal data, without their knowledge or consent.

Click to expand...

Which is the exact description of how all modern advertising, specifically Google Adsense and Facebook Ads work.

We already have to click "No I don't want to subscribe to your newsletter"

Click to expand...

That's actually one thing that should change, incidentally, because now publishers are NOT allowed to assume that people want their newsletter. It must be opt-in, not opt-out, so you shouldn't even have to click if you don't want the newsletter.

That's actually one thing that should change, incidentally, because now publishers are NOT allowed to assume that people want their newsletter. It must be opt-in, not opt-out, so you shouldn't even have to click if you don't want the newsletter.

Click to expand...

The newsletter and mobile app offers are opt-in messages displayed for guests.

By the way, I love to tell this story. I was at a friend's house and mentioned a book on my shelf at home which I had not searched for or otherwise referenced in cyberspace for years. The next day, I saw an ad for it online. This is not apocryphal. I have several friends who have reported similar experiences.

Our devices are listening to everything we say, monitoring every search we do -- not just on Google.com but Amazon, eBay, etc., showing us ads specific to our personal profiles stored by data warehouse companies. Everything is microtargeted. American cell phone carriers sell our GPS data to advertisers. Data brokers know our medical conditions, sexual preference, etc. During the 2016 election, Trump's online campaign manager had Facebook employees working at Trump HQ teaching them how to microtarget ads to individual voters. They used computer learning and automated scripts to create over 10,000 uniquely colored, phrased, and targeted advertisements PER DAY and showed them to individual voters based on the company's intrusively detailed profile on them.

Yet people keep saying the GDPR is "no big deal", just a few common sense regulations that everyone should be able to comply with and we and are "overreacting". No we're not and no it's not simple. Google and Facebook are going to have to completely change how they operate and advertise and target consumers on May 25th or they will face massive fines. Every bit of learning they've introduced in the last 20 years will have to be rolled back to 1998 style banner ads that are "dumb" and don't know anything about you.

And during all this, every other site owner is being swept up in these regulations even if we only make a few dollars a month in ad revenue.

Google and Facebook are going to have to completely change how they operate and advertise and target consumers on May 25th or they will face massive fines

Click to expand...

Facebook apparently moved some of the processing out of their Ireland office to make them not have their supervisory authority (=regulator) inside the EU specifically to avoid having to shoulder all of that hassle. (Henceforth only EU users apparently will be affected by this, and they are free to carry on doing this for all the other users. I don't understand practically how this could possibly work, but Facebook has some very expensive lawyers.)

As for Google, I've seen the paperwork. I've even sat and gone through the model clauses they're using to make sure transporting data out of the EEA (not the EU, something quite different legally) was legitimate, even though the paperwork is only covering the previous legislation, not the incoming one as it refers to 95/46/EC (aka 1995's Data Protection Directive, not the GDPR) and Google clearly thinks it has covered its posterior sufficiently.

feldon30 said:

And every other site owner is being swept up in these regulations as well even if we only make a few dollars a month in ad revenue.

Click to expand...

Even if you make no dollars a month and don't monetise your site this is relevant. And yet, as I've said repeatedly, a good 90% of this was already applicable. This has literally be law for 20 years in Europe. 20 YEARS. The only new things, really, are portability and deletion of data and the headline-grabbing fines. Right to access was already there, so was consent. These have been tightened up a bit and made more in line with the original intent which in some ways is just common sense - people were fed up of opting out of newsletters they didn't want in the first place.

You only have to check your mail inbox to see how YOUR data without YOUR permission is being thrown around, sold and resold to get an angle on this. My inbox is filled every day with newsletters and sales pitches for something I never heard of, never signed up for nor agreed that my data could be used in such a way for. At first I was annoyed at the GDPR for making us jump through hoops to tighten up how we use people's data and to ensure that we treat it with the respect it deserves. It's nobody's data but our own and if we want to sell it, that's up to us, not someone else who wants to make a quick buck and be damned if they sell it to someone unscrupulous who then has a data breach because they couldn't care less and people's lives can be in tatters when they suffer from identity theft. The bigger the company the more audacious they are because they can afford high paid lawyers to wriggle them out of trouble.

The GDPR isn't penalising sites that run advertising, they're simply making them man up and tell people what they're doing in respect of selling your data and then making them ask for your permission to do so. Taking your personal data, profiling you with it and then using it to make money without you knowing about it, well it's just amoral. And just because it's being going on for years, doesn't make it right. If those BIG companies fold, so what? They deserve it for using people to feather their own nests and treating them like chattel.

IPS posted what I thought was a good and reassuring article on this a few days ago, then someone who (seemingly) knows what hes talking about has just ripped it to pieces. Just when I thought I was ok to carry on as usual, now I am back to having no clue again

This is going to happen - because a lot of the GDPR is open to interpretation there are going to be conflicts of opinion. The real test of time will come when (I would have said 'if' but no longer) a case comes before a court of law and then we will see what interpretation is going to be considered correct. In the meantime just do what you feel is the correct thing to do based upon what has been said and discovered. Beyond that, there is not much else anyone can do.

IPS posted what I thought was a good and reassuring article on this a few days ago, then someone who (seemingly) knows what hes talking about has just ripped it to pieces. Just when I thought I was ok to carry on as usual, now I am back to having no clue again

Click to expand...

Hmm, I've just skim-read the comments to that article, and I'm not entirely convinced that that person is correct, despite seeming to be reasonably intelligent and informed.

If it were true that companies all had to use GDPR compliant software, otherwise the entire venture is not GDPR compliant, then large amounts of the EU are not compliant because there are a great many institutions using platforms that by themselves are not compliant, and never going to be - and they don't *need* to be provided that the operations required can be carried out manually. As long as a deletion request comes in and is properly handled, that's sufficient for compliance with RTBF. Yes, there is the general guidance to use software that has privacy by design, but it's simply not possible to re-engineer that in in all cases, nor is it reasonable to expect industries to just retool their entire software setup.

Reason for that? Word, and Excel. Word and Excel can be used to put peoples' data in. And no doubt will have been - and Word and Excel can't be 'made compliant' but it's not about making the tool compliant, it's about making the process compliant.

I wonder if I am the only one who finds it particularly interesting that those who seem the most opposed to this legislation are from the US, a place which has often been touted as a beacon of individual rights.

Click to expand...

I have never once said I'm opposed to the idea of a law like this. I am just not happy about the EU assuming they can just force a law on the rest of the world. This is not the first time they've attempted to overstep their jurisdiction. I don't know if you've been paying attention to the EU but if not you really should read up on them. You're always going to see knee-jerk reactions from people in the US over any outside nation attempting to force us to follow their laws. This attitude is the reason we're even a county in the first place.

Those of us with two brain cells to rub together have warned anyone that would listen for many years that storing all that personal data with third parties was a bad idea. Most people rolled their eyes and called us paranoid. You guys are speaking of the early/good days of the internet/web but you've yet to mention the main reason why it was such a nice place; Everyone was putting up content because they simply wanted to and the people storing personal data weren't running analytics on it to serve up a never ending stream of ads and broken javascript from other third parties that probably contains malware. The greed hadn't set-in yet. By all means cover your operating costs, hell make a decent living, but people are taking it too far now and attempting to get rich. You can make a living on the web without google and its ad-network. If we all ran our own advertising things would improve so much. I tell people they can ditch google all together and they say it's impossible....that's how bad things have gotten.

This law is not going to hurt the big companies that matter. They'll do their usual underhanded stuff to avoid paying any fines/taxes. It'll just be something that makes it more of a burden for the small guy to get something going on the internet. Google, Facebook, Microsoft and all the rest of them don't care they'll eat a fine here and there and chalk it up to the cost of doing business. They're making so much on the other side that it doesn't even matter to them. I'm sure the lawyers are already thinking along the same lines as I am.

Anyway, we're fine on this end of the pond. We'll have something similar coming a long soon I'm sure. As long as it comes from my own Government and I have the freedom to complain about it (because I'm sure it'll be awful like most laws they pass) I'm content. You won't see anything major until after midterms though, right now the crooked people that run our Government are more concerned about keeping their jobs. They're in full on ass-kissing mode at the moment so they aren't going to be doing much until the end of the year.

feldon30 I'd appreciate it if you did not quote me out of context to prove a point that another member stated. Yes, the GDPR is open to interpretation depending on what points are being referred to - not ALL of it is open to interpretation, there are many, many parts that explain explicitly what is required, some parts will be open to interpretation, but that is not our job to do the interpreting, that job is down to the courts and until any case is brought under the GDPR we will not know for sure whose interpretation is the one that will have to be adhered to.

It would be beneficial if everyone commenting on the GDPR actually read the document in its entirety and if there are any points that are unclear or lead you to making an interpretation that you are unsure about, consult the enforcing body in your own country within the EU. If you are outside of the EU then you would be better placed to wait and see what transpires rather than making uninformed statements based on your opinion, which may or may not be accurate.

I also understand the anger from some who do not live in the EU and are having to come to terms with this new regulation, but if the ball was on the other foot and that law was coming from your own countries, you would no doubt be attempting to lean the other way. Some laws are regional, some laws are country specific and some laws are international. Depending on the agreements between countries will depend on what laws can cross borders. So until or unless your respective governments say otherwise, it would be in everyone's interests to do whatever you can to comply. After all, we are discussing something that can affect all of us in some pretty unpleasant ways and, quite possibly, already has to many.

Attempting to point score over one another, degrades the discussion and adds nothing useful that can gleaned and applied once this regulation comes into effect on 25th May 2018.

I have never once said I'm opposed to the idea of a law like this. I am just not happy about the EU assuming they can just force a law on the rest of the world.

Click to expand...

Thanks for the reply. I understand that initial reaction -- I had it myself. I was one of the ones early on who was thinking about closing off my forum to EU visitors rather than be subjected to what seemed like a vague, overarching legislation. Given some time to reflect, and to read over the law and what it was trying to do, I've come around to agreeing with the idea, and I've been working to make my own forum compliant, even though I don't believe I need to.

I expected the same sort of response from American forum owners. And while many, like you, have come to say you aren't against the idea of GDPR, I haven't heard many say they were going to support that idea by making their own sites compliant, whether they legally needed to or not. It just seems like the kind of individual rights idea that Americans (and we Canucks) would embrace and run with, just because it is the right direction to go. So I'm guessing the primary reason for not doing it is because of where it comes from, either because it's from the EU specifically, or just externally in general.

Again, this isn't intended as a criticism or dig, just an observation.

With May 25th right around the corner, the GDPR is on a lot of peoples' minds with many also wondering how the use of cookies will be affected by it. Because of this, we wanted to take the opportunity to clarify some of the more common misconceptions related to cookies and the GDPR that we have received by our users over the last weeks and months.

Furthermore, unfortunately there is a lot of false information circulating online in regards to this topic, so we felt it was a good time to clarify this topic.

So, how does the GDPR govern cookies?
Well, the short answer is that it doesn't — cookie usage and it’s related requirements are not governed by the GDPR, they are instead governed by the ePrivacy Directive (or Cookie Law).

You can think of the ePrivacy Directive as currently “working alongside” the GDPR in a sense, rather than being replaced by it. With that said, the ePrivacy Directive is, in fact, going to be repealed soon by the ePrivacy Regulation which is still expected to work alongside the GDPR to regulate the requirements for the use of cookies. The regulation is expected to maintain values similar to the directive with much of the same guidelines applying.

Do I need to list the name of each cookie (including third-party cookies) used on our website or app?
No, the cookie law does not require that you list and name individual cookies. However, you are required to clearly state their categories and purpose. This decision by the legislative authority is likely deliberate as to require this would mean that individual website/app owners would have to constantly monitor every single third-party cookie, looking for changes that are outside of their control. This would be both unreasonable and likely unhelpful to the average user.

Must I provide the mechanism for users to manage their cookies preferences (including withdrawal of consent) directly on my website or app?
No, the cookie law does not require that you provide users with the means to toggle cookie preferences directly on your site/app, only that you visibly provide the option for obtaining informed, active consent, provide a means for the withdrawal of consent and guarantee via prior blocking that no tracking is performed before consent is obtained. This means the opt-out mechanism does not have to be hosted directly by you. In most cases under member state law, browser settings are considered to be an acceptable means of managing and withdrawing consent.

Do I need to keep records of consent to cookies for each user?
The Cookie Law does not require that records of consent be kept but instead indicates that you should be able to prove that consent occurred — even if that consent has been withdrawn. The simple way to do this would be to use a cookie solution that employs a prior blocking mechanism as under such circumstances, cookie installing scripts will only be run after consent is attained. In this way, the very fact that scripts were run may be used as sufficient proof of consent.

This should make creating a cookie solution and designing the cookie banner even easier for everyone.